Sam Shahsavar discovered that Apache Tomcat did not properly reject
HTTP requests with an invalid Content-Length header. A remote attacker
could possibly use this issue to perform HTTP request smuggling attacks.
Category Archives: Advisories
GLSA 202407-23: LIVE555 Media Server: Multiple Vulnerabilities
yt-dlp-2024.07.07-1.fc39
FEDORA-2024-c07c365ba7
Packages in this update:
yt-dlp-2024.07.07-1.fc39
Update description:
Update to 2024.07.07
Update to 2024.07.02
USN-6885-1: Apache HTTP Server vulnerabilities
Marc Stern discovered that the Apache HTTP Server incorrectly handled
serving WebSocket protocol upgrades over HTTP/2 connections. A remote
attacker could possibly use this issue to cause the server to crash,
resulting in a denial of service. (CVE-2024-36387)
Orange Tsai discovered that the Apache HTTP Server mod_proxy module
incorrectly sent certain request URLs with incorrect encodings to backends.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2024-38473)
Orange Tsai discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain substitutions. A remote attacker could possibly
use this issue to execute scripts in directories not directly reachable
by any URL, or cause a denial of service. Some environments may require
using the new UnsafeAllow3F flag to handle unsafe substitutions.
(CVE-2024-38474, CVE-2024-38475, CVE-2024-39573)
Orange Tsai discovered that the Apache HTTP Server incorrectly handled
certain response headers. A remote attacker could possibly use this issue
to obtain sensitive information, execute local scripts, or perform SSRF
attacks. (CVE-2024-38476)
Orange Tsai discovered that the Apache HTTP Server mod_proxy module
incorrectly handled certain requests. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
(CVE-2024-38477)
It was discovered that the Apache HTTP Server incorrectly handled certain
handlers configured via AddType. A remote attacker could possibly use this
issue to obtain source code. (CVE-2024-39884)
krb5-1.21.2-6.fc41
FEDORA-2024-36514cd080
Packages in this update:
krb5-1.21.2-6.fc41
Update description:
Automatic update for krb5-1.21.2-6.fc41.
Changelog
* Mon Jul 8 2024 Julien Rische <jrische@redhat.com> – 1.21.2-6
– CVE-2024-37370 CVE-2024-37371: GSS message token handling
Resolves: rhbz#2294678 rhbz#2294680
– Fix double free in klist’s show_ccache()
Resolves: rhbz#2257301
– Do not include files with “~” termination in krb5-tests
USN-6884-1: Nova vulnerability
Martin Kaesberger discovered that Nova incorrectly handled QCOW2 image
processing. An authenticated user could use this issue to access arbitrary
files on the server, possibly exposing sensitive information.
USN-6883-1: OpenStack Glance vulnerability
Martin Kaesberger discovered that Glance incorrectly handled QCOW2 image
processing. An authenticated user could use this issue to access arbitrary
files on the server, possibly exposing sensitive information.
USN-6882-1: Cinder vulnerability
Martin Kaesberger discovered that Cinder incorrectly handled QCOW2 image
processing. An authenticated user could use this issue to access arbitrary
files on the server, possibly exposing sensitive information.
USN-6881-1: Exim vulnerability
It was discovered that Exim did not enforce STARTTLS sync point on client
side. An attacker could possibly use this issue to perform response
injection during MTA SMTP sending.
qt6-qtbase-6.7.2-3.fc40
FEDORA-2024-9bf3ff4133
Packages in this update:
qt6-qtbase-6.7.2-3.fc40
Update description:
Fix CVE-2024-39936.